43 matches found
EUVD-2015-7292
Malware in sbrugna...
EUVD-2021-25500
Malware in sbrugna...
EUVD-2022-5838
Malicious code in bioql PyPI...
CVE-2025-51605
An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make...
Linux Distros Unpatched Vulnerability : CVE-2025-47908
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers ACRH heade...
CVE-2025-47908
Middleware causes a prohibitive amount of heap allocations when processing malicious preflight requests that include a Access-Control-Request-Headers ACRH header whose value contains many commas. This behavior can be abused by attackers to produce undue load on the middleware/server as an attempt...
Sensitive Information Disclosure
@auth0/nextjs-auth0 is vulnerable to Sensitive Information Disclosure. The vulnerability is due to missing cache control headers due to session cookies being cached by CDNs, potentially exposing sensitive session information to unauthorized users...
CVE-2025-48947
The CVE describes a vulnerability in the Auth0 Next.js SDK (auth0/nextjs-auth0) affecting versions 4.0.1–4.6.0 where __session cookies set by auth0.middleware can be cached by CDNs due to missing Cache-Control headers. Preconditions require: (1) use of the NextJS-Auth0 SDK, (2) CDN/edge caching o...
CVE-2025-32421
Next.js is a React framework for building full-stack web applications. Versions prior to 14.2.24 and 15.1.6 have a race-condition vulnerability. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML. Thi...
SUSE SLES15 / openSUSE 15 Security Update : tomcat (SUSE-SU-2025:0058-1)
The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:0058-1 advisory. Update to Tomcat 9.0.98 - Fixed CVEs: - CVE-2024-54677: DoS in examples web application bsc1234664 - CVE-2024-50379:...
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
Summary Insufficient validation of outbound header values may lead to request splitting or response splitting attacks in scenarios where attackers have sufficient control over outbound headers. Details Outbound trilliumhttp::HeaderValue and trilliumhttp::HeaderName can be constructed infallibly a...
GHSA-VM9C-39JX-Q45W Moodle vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
lib/filelib.php in Moodle through 2.2.11, 2.3.x before 2.3.10, 2.4.x before 2.4.7, and 2.5.x before 2.5.3 does not send "Cache-Control: private" HTTP headers, which allows remote attackers to obtain sensitive information by requesting a file that had been previously retrieved by a caching proxy...
Glassdoor: Web Cache Poisoning leads to Stored XSS
@bombon reported to us a web cache poisoning issue that led to caching of gdTokenAnti-CSRF token across different Glassdoor pages and in some instances could be chained to perform XSS by caching the XSS payload. This has now been resolved using CF web cache armor and cache-control headers...
in publify/publify
Description publify does not use secure Cache-Control headers. Proof of Concept 1: Login to application 2: click on admin link https://demo-publify.herokuapp.com/admin 3: Logout 4: Press the back button of the opened tab to still see that you can view the information . Impact This issue is capabl...
in bookstackapp/bookstack
Description Bookstack does not use secure Cache-Control headers. Proof of Concept 1: Login to application 2: View a shelf 3: Logout 4: Press the back button of the opened tab to still see that you can view the information about books previous page of your shelf. Impact This issue is capable of...
CVE-2020-7460
In FreeBSD 12.1-STABLE before r363918, 12.1-RELEASE before p8, 11.4-STABLE before r363919, 11.4-RELEASE before p2, and 11.3-RELEASE before p12, the sendmsg system call in the compat32 subsystem on 64-bit platforms has a time-of-check to time-of-use vulnerability allowing a mailcious userspace...
UBUNTU-CVE-2020-15005
In MediaWiki before 1.31.8, 1.32.x and 1.33.x before 1.33.4, and 1.34.x before 1.34.2, private wikis behind a caching server using the imgauth.php image authorization security feature may have had their files cached publicly, so any unauthorized user could view them. This occurs because...
CVE-2017-6080
CVE-2017-6080 affects Zammad versions prior to 1.0.4, 1.1.x before 1.1.3, and 1.2.x before 1.2.1. Root cause: missing protection via HTTP Access-Control headers. Attack surface: cross-domain requests to the REST API for users with a valid session cookie, enabling disclosure of results. Impact ran...
Design/Logic Flaw
Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache...
CVE-2015-7368
Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache...